Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are opeating as ecpected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
A tool designed to assist you in analyzing a systems flowchart and related narratives.
It establishes the criteria to be used in evaluating the controls in a particular business process.
Step1: Specify Control Goals: Represents the first step in building a control matrix. The goals are listed across the top row of the matrix. 1. Identify the Operations Process Goals
a. Effectiveness goals - Ensure the successful accomplishment of the goals set forth for the business process.
b. Efficiency goals - To ensure that all resources used throughout the business process are being employed in
the most productive manner. * There should be at least 2 effectiveness goals.
c. Security goals- To ensure that entity resources are protected from loss, destruction, disclosure, copying, sale or
other misuse. 2. Identify Information Process Goals
a. Input goals: The purpose of input goals of the information process is to ensure input validity(IV), input completeness(IC), and input accuracy(IA) with respect to all business process data entering the system.
b. Update goals: The purpose of update control goals is to ensure the update completeness (UC) and update (UA) of the business process input data. Step2: Recommend Control Plans:
This step focuses on the nature and extent of control plans that should be in place to minimize undesirable risk exposures to an acceptable level of residual risk.
1. Annotating "Present" control plans: Start on the upper left-hand column of the systems flowchart, follow the sequential logic of the flowchart nad identify all of the process-related symbols. Each process-related symbol reflects an internal control plan which is already present. label them P-1 to P-n in the sequential order.
2. Evaluating "Present" control plans: Write number (P-1, P-2, P-3 through P-n) and name of each control plan in the left-hand column of the control matrix. Then, starting with P-1, look across the row and detremine which control goals the plan addresses and place a P-1 in each of the matrix for which P-1 is applicable.
Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.
3. Identifying and Evaluating "Missing" control Plans: to determine if additional controls are needed to address missing control goal areas, strengthen present goal plans, or both.
a. Examine the controls matrix to see if there are any control goals for which no present control is addressing.
b. Evaluate the systems flowchart to analyze if further control plans are necessary.
A completed control matrix and annotated systems flow chart help:
1. Tell about the control strenghts and weaknesses of a particular system.
2. facilitate evaluation from the perspectives of
a. control effectiveness - are all the control goals achieved?
b. control efficiency - do individual control plans address multiple goals?
c. Control redundancy - are too many plans directed at the same goal?
Generic Control Plans:
Input Plans (Manual Input)
Input Plans (Batch Input)
Edit Input Plans
Resolve Errors Plans
Correct Errors/Input Plans
Record Input Plans
List of Recommended Control Plans:
1. Document design - a source document is designed to make it easier to prepare and input the document.
2. Written approvals - an authorization of an event by initialling or signing the related document
3. Preformated screens - control the entry of data with defined fields
4. Online prompting - requests input from the user or asks questions the user must answer
5. Programmed edit checks - automaticly performed once data is inputed. Consists of four common types:
a. Reasonableness checks (limit checks) - tests whether the data values entered are within a predetermined limit
b. Document/record hash totals - sums any numeric data that was inputed into the document or record.
c. Mathematical accuracy check - compares manual and computer calculations
d. Check digit verification - adds an extra digit (check digit) to ID different entities (customers, vendors, etc..)
6. Procedures for rejected inputs - Erroneous data entered and not accepted is corrected and resubmitted for processing
7. Keying corrections - a process the clerk completes for rejected inputs, ensures accuracy of inputs
8. Interactive feedback checks - a control that informs the user whehther the input has been accepted or rejected for processing. (ensures completeness)
9. Record input - automatic process; stores accurate and valid iput data onto digital media for updating procedures
10. Key verification - when a document is keyed by two separate individuals. The data entry software compares both to ensure accuracy.
Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are opeating as ecpected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.The Control Matrix (definition):
- A tool designed to assist you in analyzing a systems flowchart and related narratives.
- It establishes the criteria to be used in evaluating the controls in a particular business process.
Sample from book:Sample used in real work Internal Auditing:
Steps in Preparing the Control Matrix:
Step1: Specify Control Goals: Represents the first step in building a control matrix. The goals are listed across the top row of the matrix.
1. Identify the Operations Process Goals
a. Effectiveness goals - Ensure the successful accomplishment of the goals set forth for the business process.
b. Efficiency goals - To ensure that all resources used throughout the business process are being employed in
the most productive manner. * There should be at least 2 effectiveness goals.
c. Security goals- To ensure that entity resources are protected from loss, destruction, disclosure, copying, sale or
other misuse.
2. Identify Information Process Goals
a. Input goals: The purpose of input goals of the information process is to ensure input validity(IV), input completeness(IC), and input accuracy(IA) with respect to all business process data entering the system.
b. Update goals: The purpose of update control goals is to ensure the update completeness (UC) and update (UA) of the business process input data.
Step2: Recommend Control Plans:
This step focuses on the nature and extent of control plans that should be in place to minimize undesirable risk exposures to an acceptable level of residual risk.
1. Annotating "Present" control plans: Start on the upper left-hand column of the systems flowchart, follow the sequential logic of the flowchart nad identify all of the process-related symbols. Each process-related symbol reflects an internal control plan which is already present. label them P-1 to P-n in the sequential order.
2. Evaluating "Present" control plans: Write number (P-1, P-2, P-3 through P-n) and name of each control plan in the left-hand column of the control matrix. Then, starting with P-1, look across the row and detremine which control goals the plan addresses and place a P-1 in each of the matrix for which P-1 is applicable.
Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.
3. Identifying and Evaluating "Missing" control Plans: to determine if additional controls are needed to address missing control goal areas, strengthen present goal plans, or both.
a. Examine the controls matrix to see if there are any control goals for which no present control is addressing.
b. Evaluate the systems flowchart to analyze if further control plans are necessary.
A completed control matrix and annotated systems flow chart help:
1. Tell about the control strenghts and weaknesses of a particular system.
2. facilitate evaluation from the perspectives of
a. control effectiveness - are all the control goals achieved?
b. control efficiency - do individual control plans address multiple goals?
c. Control redundancy - are too many plans directed at the same goal?
Generic Control Plans:
List of Recommended Control Plans:
1. Document design - a source document is designed to make it easier to prepare and input the document.
2. Written approvals - an authorization of an event by initialling or signing the related document
3. Preformated screens - control the entry of data with defined fields
4. Online prompting - requests input from the user or asks questions the user must answer
5. Programmed edit checks - automaticly performed once data is inputed.
Consists of four common types:
a. Reasonableness checks (limit checks) - tests whether the data values entered are within a predetermined limit
b. Document/record hash totals - sums any numeric data that was inputed into the document or record.
c. Mathematical accuracy check - compares manual and computer calculations
d. Check digit verification - adds an extra digit (check digit) to ID different entities (customers, vendors, etc..)
6. Procedures for rejected inputs - Erroneous data entered and not accepted is corrected and resubmitted for processing
7. Keying corrections - a process the clerk completes for rejected inputs, ensures accuracy of inputs
8. Interactive feedback checks - a control that informs the user whehther the input has been accepted or rejected for processing. (ensures completeness)
9. Record input - automatic process; stores accurate and valid iput data onto digital media for updating procedures
10. Key verification - when a document is keyed by two separate individuals. The data entry software compares both to ensure accuracy.